I warned a business that they had pushed a CA certificate to desktop machines but the CA public and private key was included. In mmc it says "you have a private key that corresponds to this certificate".
I said it could be possible to retrieve the private key. So I set out trying to do that.
I think that the key is marked as non-exportable, because when I try to export the cert, the option to include the private key is greyed out.
When I try to run a repair using certutil via powershell on the CA cert thumprint, a message comes up requesting to insert a smart card.
I'm not 100% sure where the private key is stored, in encrypted files on the HDD or the TPM.
I can export the CA certificate and private key from the windows registry, edit the registry file and then import that to my local user area in the personal certs. It then shows up in mmc for that specified location and displays that there is a private key included. I still cannot export they private data. I did not try importing this reg file into another machine for obvious reasons. I just want to demonstrate the risk, not create one.
So I wasnt able to export the private key data. According to the WWW, exporting the registry allows the cert and private key pair to be imported to another windows system.
In any case, there's no need to push the CA private key to end systems. Is there anything more I can do to get the tech teams to realise? I am expecting they will argue that I've not been able to extract the private key, therefore it is secure :)
I would say you have the private key if you can export it from the registry. If you view the registry file is the key listed there? It may be base64 encoded, but you may be able to copy it out instead of importing the reg file again.
Also not 100% sure, but if it is a CA key can you get Windows to sign another cert with that private key? A quick Google says you need the Windows CA Services, but maybe you can install that, or do it without. That would show that any user could generate their own certs that are signed by the CA even if they can't get to the private key directly.
-Otanx
I know there are some guys in Russia, Iran, and/or China that could get that private key info for you. :smug:
Even if you cannot get the private key data, this business is in severe breach of standards. If they handle any PII data, medical data, financial data, or government data, they will fail hard on a compliance audit. They need to stop doing that thing that they are doing and roll it back to undo what they have done.
There was a cert there in hex but I wasn't sure how to decode it. It was my first time looking at a registry certificate. I managed to decode some text which said the name of the cert but other text was weird characters so looked like it wasn't decoded.
With the ca private key, I could have issued certs using openssl very simply. I have a step-by-step documented to do that.
As Dean said, a big no no regardless.
I tried to think how it would have come about. When a server cert is installed, you need the private key there. So maybe they used that logic when setting up the SSL decryption CA cert on the machines. Either way it's not right.
With the registry file I was thinking I could import to another machine, maybe less secure like windows 7 or earlier. Or miniPE and export the key more easily because less secure. I might try this myself for research, not using any real data.
if your private key is in public domain, they you need to revoke and re-issue correctly.
(public domain = on some other computer then the cert issuer)
we had some guy a few years ago, that wanted a cert and included his private key. to a wide distribution list. I called him on it and security make him reissue. Just think of hackers got access the that key and decrypt, what damage they could do.
^THIS. All of this. :)